ESET researchers analyze the latest activity of the infamous APT group: Lazarus group manipulates security software.
ESET researchers uncovered a campaign by the Lazarus group targeting South Korean internet users. The attackers use malware that infects the software supply chain through unusual manipulation. To do this, the hackers misuse a legitimate South Korean security software called WIZVERA VeraPort and digital certificates. In South Korea, it is common practice for users to be asked to install additional security software when they visit government or internet banking websites. The ESET researchers have now published their detailed analysis on WeliveSecurity.
“WIZVERA VeraPort is a special South Korean application to install and manage additional security software. Minimal user interaction is required to start such a software installation, ”explains Anton Cherepanov, the ESET researcher who led the investigation into the attack. “Usually this software is used by government and banking websites. For some of these pages it is mandatory to install WIZVERA Veraport. "
Illegal code signing certificate
In order to spread the malicious program used, the attackers use illegally acquired code-signing certificates. These were originally issued for a US subsidiary of a South Korean security company. “The attackers disguise the malware as legitimate software. The malicious programs have similar file names, symbols and resources to legitimate South Korean software, "says ESET researcher Peter Kálnai." It is the combination of compromised websites with WIZVERA VeraPort support and specific VeraPort settings that enables the attackers to carry out this attack. "
Is the Lazarus group behind the campaign?
The ESET experts have found evidence that suggests that the attack can be attributed to the Lazarus group. The current campaign is a continuation of what South Korean CERT (KrCERT) has called Operation BookCodes. This campaign was also attributed to the APT group.
Further indications are typical features of the tools used, the encryption methods, the establishment of the network infrastructure and the fact that the attack took place in South Korea, where Lazarus is known to operate.
More on this at WeLiveSecurity from ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.